Re: High Speed Network Cards + rules?

["Keith W. McCammon" <keith-list () mccammon org>]

>         It is my understanding that most network cards at 50% capacity begin to
> miss packets and create a false negatives condition (IDS evasion technique).
> Is anyone aware of any cards that exist that collect 100% of the traffic
> with 0% false negatives due to this condition?  If not, what is the next
> best thing?

The amount of dropped packets is a function of a lot more than the card. 
 You have memory, CPU, etc.  Having a good card (Intel Pro has always 
worked very well for me--as good as any) goes a long way, but you need a 
goodly amount of RAM and CPU time to keep up if you want to push the 
limits of your network.

>         Secondly, does anyone know of any other snort rule repositories aside from
> those presented at snort.org?

Http://whitehats.com is the largest that comes to mind.  Generally 
speaking, the more rule repositories we have, the worse off we are. 
Rules should be submitted to and classified via the snort-rules list and 
the master rules database.  You get Snort, you get *all* the rules. 
Turn 'em on and off from there.  I'm rambling...


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users